How to segment my network (VLANs, UTM, Cascading)

[yikyi]

Good Morning, Afternoon or Evening

I'm using Merlin's firmware for quite a while now - but I'd like to improve network security. I thought about the following:

1 Asus router connected to the internet (cable and 4G (LTE) load balancing) for:

• load balancing
• ABSolution
• DNScrypt

Sophos UTM for

• security
• VLANs
• etc

Another Asus router in AP mode, for

• WiFi #1
• WiFi #2
• VLAN #2
• VLAN #3

a Switch:

• VLAN #2
• VLAN #3

Is it possible to segragete a network like this? I though it would be nice to have different zones, like:

• WiFi #1 as part of VLAN 2
• WiFi #2 as part of VLAN 3
• VLAN 1:
  • admin / APs only
• VLAN 2:
  • Office / personal stuff - devices (Computer, Printer)
  • NAS
• VLAN 3:
  • IoT
    • Echo
    • Hue lights
    • etc
  • Media
    • TV
    • Playstation
    • etc

Is this possible with two Asus routers and a (random) switch? Or do I need a switch with special functions for separating the VLANs properly?
Is it possible to link a certain WiFi with a certain VLAN?
If anyone wonders why I want another Asus router before the UTM: I just prefer ABSolution over the Sophos UTM Ad-Filtering and I want to use load balancing with a USB-4G-Dongle.

 

[Martineau]

...do I need a switch with special functions for separating the VLANs properly?

You need VLAN capable switches:
https://www.snbforums.com/threads/asus-merlin-question-on-lan-restrictions.37492/#post-308399

Since my OP, I have slowly been tweaking my original VLAN topology/deployment.
I have the following config now for specific usage: IoT, VPN etc. (VLAN200 is now only used for ad-hoc testing)

18: vlan20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT

19: vlan30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    alias IoT

20: vlan40@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    alias Internet

21: vlan50@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    alias VPN

22: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT

Separating wired devices such as the Samsung TVs / SKY boxes via VLAN20 (I suppose I should really give VLAN20 an alias of 'Media'?! ) is easily accomplished by plugging the TV/Satellite LAN cable into the dedicated VLAN port - once I configured the appropriate PID on the ip-link/Netgear switches ...only took 5 mins after I properly RTFM'd the tp-link/Netgear manuals

...Is it possible to link a certain WiFi with a certain VLAN?

Well, I have successfully created the appropriate bridges to combine a wired VLAN with a Guest Wifi

e.g. br1 is used for Wired/2.4GHz Wifi Guest 3 (wl0.3) VPN access (via VPN Client 1) to the USA so is explicitly configured to 'exclusively' use the VPN Client 1 DNS servers)

./VLANSwitch.sh 50 status verbose

(VLANSwitch.sh): 5865 v1.02 © 2016-2017 Martineau. VLAN configuration utility.

           vlan50 Robocfg Status
           =====================
   1: vlan1: 1 2 3 4t 5t
  50: vlan50: 4t 5t

           vlan50 Bridge Status
           ====================
br1  8000.acxxxxxxxxa0 no  wl0.3
                           vlan50

br1       Link encap:Ethernet  HWaddr XX:XX:XX:XXX:XXX:XXX
          inet addr:10.88.101.1  Bcast:10.88.101.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:114903 errors:0 dropped:0 overruns:0 frame:0
          TX packets:197471 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8336272 (7.9 MiB)  TX bytes:261249709 (249.1 MiB)


           vlan50 Status
           =============
vlan50    Link encap:Ethernet  HWaddr XX:XX:XX:XXX:XXX:XXX
          inet addr:10.88.50.1  Bcast:10.88.50.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:88948 errors:0 dropped:0 overruns:0 frame:0
          TX packets:157861 errors:0 dropped:742 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6396654 (6.0 MiB)  TX bytes:212647717 (202.7 MiB)

           vlan50 Statistics
           =================
vlan50  VID: 50  REORDER_HDR: 1  dev->priv_flags: 8001
         total frames received        88948
          total bytes received      6396654
      Broadcast/Multicast Rcvd          793
      total frames transmitted       157861
       total bytes transmitted    212647717
            total headroom inc          689
           total encap on xmit       158603
Device: eth0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

            Firewall rules
            ==============
7        0     0 ACCEPT     all  --  vlan50 *       0.0.0.0/0            10.88.8.131
8        0     0 ACCEPT     all  --  vlan50 *       0.0.0.0/0            10.88.8.132
9        0     0 ACCEPT     all  --  tun11  vlan50  0.0.0.0/0            0.0.0.0/0            state NEW
10       0     0 ACCEPT     all  --  vlan50 tun11   0.0.0.0/0            0.0.0.0/0            state NEW
11       0     0 DROP       all  --  br0    vlan50  0.0.0.0/0            0.0.0.0/0            state NEW
12       0     0 DROP       all  --  vlan50 br0     0.0.0.0/0            0.0.0.0/0            state NEW
13       0     0 ACCEPT     all  --  vlan50 *       0.0.0.0/0            0.0.0.0/0            state NEW

            DNS VPN rules
            =============
Chain DNSVPN1 (2 references)
3      816 68071 DNAT       all  --  br1    *       10.88.101.0/24       0.0.0.0/0            to:10.200.197.1
Chain DNSVPN2 (2 references)

 br1 ACTIVE devices (ARP only accurate within 60secs?)
 =====================================================
10.88.101.18 XX:XX:XX:XX:XX:XX N/A  (HP-DM1.Martineau.lan)

Clearly there are the necessary ACCEPT firewall rules (if required) and obviously VLANs are on their own separate subnets which helps show any 'leaks' etc.

I think there my be a post where someone managed to get EDIT [an AP to VLAN tag Wifi traffic] actually he moved ALL Guest Wifi to br1 to isolate his IoT Hue lights]

EDIT: Found https://www.snbforums.com/threads/guest-vlans-over-the-network-on-asus-ac5300.29460/#post-270059

...but as stated in my OP - I acquired a UniFi AP which does support multiple Wifi VLAN tagging to have a play.

NOTE: Pretty standard configuration i.e. this setup does not require the use of ebtables!

 

[yikyi]

One quick additional question: Are different WiFi-(Guest)-Networks available in AP-mode?

 

[yikyi]

Thank you very much Martineau, you pointed out some helpful aspects!
But I'm still a bit confused: your Asus works as a router and you have an additional (VLAN capable switch), right?
Is it possible to have, e. g. an Asus AC87U, in Ap-mode to have it working as a VLAN capable switch and use several WiFi networks bridged to the VLANs on the AC87U? Say I create subnets on sophos UTM and use the AC87U as an access point. Would this work? Or has the ac87u to be in router mode do be capable of handling several WiFi networks (offered as guest networks in the configuration menu).

 

[Martineau]

Your Asus works as a router and you have an additional (VLAN capable switch), right?

Yes, the 5 downstream (VLAN capable) switches perform the actual tagging of the packets (with the appropriate VLAN PID) for the originating IoT device such as the Samsung TV etc, and the designated port on the router is modified to act as a 'trunk' port to pass the tagged VLAN traffic to the Internet.

Is it possible to have, e. g. an Asus AC87U, in Ap-mode to have it working as a VLAN capable switch and use several WiFi networks bridged to the VLANs on the AC87U?

I don't believe the firmware in AP mode (or even Router mode) is capable of handling tagged VLAN WiFi traffic?... although I could be wrong.

However, in AP mode, I don't see why the AP switch ports cannot also be configured to act as 'trunk' ports.

 

[yikyi]

Obviously, this whole network stuff is quite new to me, so I do not really see the possibilities.
E. g., how could I perform the following:

Smartphone connected to WLAN.
Smartphone can communicate with NAS (LAN) and Chromecast(WLAN).
Chromecast can't see or communicate with NAS.

Maybe VLANs aren't even what I actually need, I'm not sure about that. I basically want different groups of devices: wired and wireless devices for office and personal stuff which can interact with each other; wired and wireless devices for media, which mostly needs access to the internet and are controlled by devices from the personal group, but which shouldn't see the other personal devices nor all the other devices of the same "media" group, but maybe some of them. Sounds complicated...

Any hints are highly appreciated

 

[Martineau]

E. g., how could I perform the following:

Smartphone connected to WLAN.
Smartphone can communicate with NAS (LAN) and Chromecast(WLAN).

Chromecast can't see or communicate with NAS.

Adding the following ebtables rule should prevent the Chromecast from initiating a connection with the NAS

e.g. substitute $Chromecast and $NAS with their actual IP address

ebtables -t broute -I BROUTING -p ipv4 --ip-src $Chromecast --ip-dst $NAS -j DROP

then you can check if packets are being 'blocked' using command

ebtables -t broute -L --Lmac2 --Lc --Ln

e.g. Just blocked my Nexus 7 access to a LAN NAS and it shows 81 packets dopped i.e. DSPhoto app inexplicably now can't access the albums - much to the annoyance of the current user!

ebtables -t broute -L --Lmac2 --Lc --Ln

Bridge table: broute
Bridge chain: BROUTING, entries: 4, policy: ACCEPT
1. -p IPv4 --ip-src 10.88.8.155 --ip-dst 10.88.8.197 -j DROP , pcnt = 81 -- bcnt = 4716



./ARPDevices.sh

<snip>
10.88.8.155 xx:xx:xx:xx:xx:xx Nexus-7  (Nexus-7.Martineau.lan)
10.88.8.197 xx:xx:xx:xx:xx:xx DS-416   (DS-416.Martineau.lan)

NOTE: Whilst the ebtables rule appears to use a DROP target, technically it isn't actually physically blocking the traffic, but is actually passing it up to the Firewall rules which doesn't explicitly have an ACCEPT rule!

 

[yikyi]

Oh, that's pretty neat! And this works in AP - mode?